Traditional web services that are accessed by a web browser typically utilize hypertext markup language (HTML) and Javascript, which provide the capability to determine legitimate use of the web service, such as presenting Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs) and other challenge questions to the user. However, unlike traditional web services, wireless communication devices often employ mobile applications to communicate with web servers. For example, typical mobile applications pull data down from web servers for display to the user, and also allow the user to modify the data and submit it back to the server.
Mobile applications commonly utilize mobile application programming interfaces (APIs) to communicate with external web services and provide their functionality to the user. The communication between native mobile applications and mobile APIs on the web servers is typically done using JavaScript Object Notation (JSON), Extensible Markup Language (XML), and other protocols that do not employ security techniques but are simply used to provide an exchange of data between the client and server. Thus, the core application communication between the mobile application and the web service utilizes a mobile API with no security in place to validate the legitimacy of the request. Unfortunately, these weaknesses are easily exploited to bypass the security solutions used on traditional web services and allow unauthorized communication with web servers using the mobile API, subjecting the web service to possible malicious use.